The passwords of as many as 320,000 Time Warner Cable residential customers nationally who have email addresses through the company may have been stolen in a hacking attack, the company has confirmed.

The company would not confirm whether any of its approximately 380,000 Maine customers were affected, saying only that the breach included “residential customers across our markets.” Time Warner, the largest cable provider in Maine, has 16 million business and residential customers in 29 states, according to its website. The company also offers television, telephone and Internet services.

Company spokeswoman Nathalie Burgos said in an email Thursday that the company was contacting customers through email and direct mail so they can “take precautions to protect their accounts and update their passwords using a strong, unique alternative.”

People who have Time Warner’s Roadrunner email accounts, with the .rr.com tag, are at particular risk, Burgos said, particularly if the accounts contain sensitive personal and financial information.

Burgos said the emails and passwords probably were stolen through malware – harmful computer software and viruses – downloaded through digital attacks or indirectly through data breaches of third-party companies that stored Time Warner customers’ information, including email addresses.

“Our understanding is that the compromise had nothing to do with TWC’s systems or processes,” Burgos said in her email. “We haven’t yet determined how the information was obtained, but there are no indications that our systems were breached.”

Internet security expert Ed Sihler said Thursday that the severity of such a breach depends on how customers use their Time Warner email accounts. If they use their email to deal with credit cards, tax accounts or other sensitive personal information, or their messages contain Social Security numbers, there could be a problem, said Sihler, technical director for the Maine Cyber Security Cluster at the University of Southern Maine in Portland.

If an email account is used only for junk mail or not at all, there is little threat, but users should change their email passwords to prevent their accounts from being used as platforms to send spam, he said.

The FBI recently notified the company that some customers’ email addresses, including account passwords, may have been compromised, Burgos said. The company estimates that as many as 320,000 could be affected.

Joshua Silver, who specializes in cybersecurity for the Bernstein, Shur, Sawyer & Nelson law firm in Portland, said the actual number of Time Warner customers affected probably exceeds the company’s initial estimate, which is 2 percent of the company’s 16 million-customer base.

He cited other large, national incidents such as the 2013 Target Brands Inc. breach, in which the discount retailer’s initial estimates fell far short of the 70 million people now believed to have been affected.

“That’s almost always the case,” Silver said. “You get lowballed in the beginning.

“It sounds like from what I’m reading that someone has gotten a password database,” Sihler said. “I would expect the number of accounts (affected) to go up if it was an actual breach.”

A customer might not even realize an account has been compromised if all a hacker does is read a few emails. But if someone starts sending out spam to people from the email account, “the user notices fairly quickly because of the angry responses that fill the inbox,” Sihler said.

Sihler said the best way to protect personal accounts from data breaches is to change passwords regularly and make them challenging to break. Time Warner customers who don’t use the company’s email service probably won’t be affected by the breach, he said.

“It doesn’t sound like they got into the billing database, so they didn’t get billing information directly,” Sihler said.

Sihler said the problem could be as simple as an employee misplacing a USB stick with password information.

Burgos also said the company has “several tips on how to navigate the Web more carefully and avoid phishing schemes on our website.” Phishing refers to a practice in which criminals try to access sensitive information or install harmful software by posing as legitimate sources, such as banks or other financial institutions, through email and social media.

Sihler said it is also unclear whether the passwords were encrypted when they were stolen. If the passwords were encrypted, it could take hundreds of days for whoever wanted them to put them into plain language, Sihler said.

The Winslow and Waterville police departments warned the public about the security breach in Facebook posts Thursday morning.

Waterville Deputy Chief Charles Rumsey said Thursday that his department had not received any complaints in response to those posts.

“It stands to reason we will find out some people in the state were affected, but we have heard nothing yet,” Rumsey said.

Portland Press Herald Staff Writer J. Craig Anderson contributed to this report.